diff --git a/lib/minisign/private_key.rb b/lib/minisign/private_key.rb
index 6674b78..e652e8a 100644
--- a/lib/minisign/private_key.rb
+++ b/lib/minisign/private_key.rb
@@ -63,6 +63,7 @@ def to_s
 
     def change_password!(new_password)
       @password = new_password
+      @bytes[2..3] = [0, 0] if new_password.nil? # kdf_algorithm
     end
 
     private
diff --git a/spec/minisign/private_key_spec.rb b/spec/minisign/private_key_spec.rb
index ac9de01..defb3c5 100644
--- a/spec/minisign/private_key_spec.rb
+++ b/spec/minisign/private_key_spec.rb
@@ -109,6 +109,9 @@
   end
 
   describe '#change_password!' do
+    before do
+      @private_key = Minisign::PrivateKey.new(File.read('test/minisign.key'), 'password')
+    end
     it 'changes the password' do
       random_trusted_comment = SecureRandom.uuid
       new_password = SecureRandom.uuid
@@ -123,11 +126,26 @@
       expect do
         Minisign::PrivateKey.new(@private_key.to_s, new_password)
       end.not_to raise_error
+      expect do
+        Minisign::PrivateKey.new(@private_key.to_s)
+      end.to raise_error('Missing password for encrypted key')
 
       File.write('test/generated/new-password.key', @private_key)
       path = 'test/generated'
       command = "echo #{new_password} | #{path}/minisign -Sm #{path}/.keep -s #{path}/new-password.key"
       expect(system(command)).to be(true)
     end
+
+    it 'removes the password if nil' do
+      @private_key.change_password! nil
+      expect do
+        Minisign::PrivateKey.new(@private_key.to_s)
+      end.not_to raise_error
+      File.write('test/generated/removed-password.key', @private_key)
+      path = 'test/generated'
+      # does not prompt for password
+      command = "#{path}/minisign -Sm #{path}/.keep -s #{path}/removed-password.key"
+      expect(system(command)).to be(true)
+    end
   end
 end